| *** mhen_ is now known as mhen | 02:59 | |
| jbernard | #startmeeting cinder | 14:05 |
|---|---|---|
| opendevmeet | Meeting started Wed Feb 26 14:05:49 2025 UTC and is due to finish in 60 minutes. The chair is jbernard. Information about MeetBot at http://wiki.debian.org/MeetBot. | 14:05 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 14:05 |
| opendevmeet | The meeting name has been set to 'cinder' | 14:05 |
| jbernard | #topic roll call | 14:05 |
| yuval | 0/ | 14:05 |
| jbernard | o/ | 14:05 |
| whoami-rajat | Hi | 14:06 |
| sfernand | hi | 14:06 |
| Sai | o/ | 14:06 |
| jbernard | #link https://etherpad.opendev.org/p/cinder-epoxy-meetings | 14:06 |
| akawai | o/ | 14:06 |
| abishop | o/ | 14:06 |
| Luzi | o/ | 14:06 |
| rosmaita | o/ | 14:06 |
| jbernard | welcome everyone | 14:09 |
| jbernard | #topic annoucements | 14:10 |
| jbernard | ff (feature freeze) is this week according to the schedule | 14:10 |
| jbernard | #link https://releases.openstack.org/epoxy/schedule.html | 14:10 |
| jbernard | this has been quite a week so far, some kind of stomach bug thing has nearly crushed my soul :/ BUT I'm getting better finally :) | 14:11 |
| whoami-rajat | jbernard, good to know you are recovering | 14:11 |
| jbernard | mhen, Luzi: brian (rosmaita) and I owe you a review for the encryption patch | 14:12 |
| rosmaita | yes | 14:12 |
| jbernard | whoami-rajat: thanks, i thought i might escape the winter season without any major sickness, but i was wrong! (again) | 14:12 |
| whoami-rajat | :/ | 14:13 |
| jbernard | mhen, Luzi: this is on the priority list (among others) so hang in there and dont stress too much :) | 14:13 |
| jbernard | there are many reviews needing feedback, if anyone has extra cycles, help in the review backlog is most appreciated | 14:13 |
| msaravan | Hi | 14:14 |
| Luzi | this week is feature freeze, isn't it? | 14:14 |
| jbernard | msaravan: heya | 14:14 |
| jbernard | msaravan: you have a patch needing feedback | 14:14 |
| jbernard | #link https://review.opendev.org/c/openstack/cinder/+/942342 | 14:14 |
| jbernard | Luzi: yes | 14:14 |
| msaravan | sure, will do it tonight | 14:14 |
| jbernard | Luzi: technically :) | 14:14 |
| jbernard | msaravan: sorry, this is the one related to cert based auth | 14:15 |
| jbernard | msaravan: i meant you are in need of feedback | 14:15 |
| jbernard | ^ this is a netapp patch that awaits reviews as well | 14:16 |
| msaravan | I verified that, and that patch looks good. | 14:16 |
| msaravan | I'll update my comments again. | 14:16 |
| Sai | Thank you both of you for reviewing the cert based auth patch !! jbernard, msaravan | 14:18 |
| jbernard | Sai, msaravan: re netapp ci, those issues will be resolved soon? | 14:19 |
| jbernard | that's about it, in terms of current state | 14:20 |
| jbernard | ff is coming | 14:20 |
| jbernard | reviews are needed | 14:20 |
| jbernard | any addition feedback on the encryption patch is much appreciated | 14:20 |
| jbernard | #link https://review.opendev.org/c/openstack/cinder/+/926298 | 14:21 |
| jbernard | any testing or code comments are useful | 14:21 |
| jbernard | ill open things up | 14:21 |
| jbernard | #topic open discussion | 14:21 |
| Sai | jbernard: Yes, we are on it and issues will be resolved soon. | 14:21 |
| jbernard | Sai: excellent | 14:22 |
| yuval | if nobody have anything I can bringup a small issue | 14:24 |
| jbernard | yuval: sure | 14:25 |
| yuval | https://review.opendev.org/c/openstack/os-brick/+/942689 - we use here env variable "VIRTUAL_ENV" This is special for os-brick, I wonder why and is it really needed? | 14:25 |
| jbernard | the change id is | 14:28 |
| jbernard | Change-Id: Ib191c075ad1250822f6ac842f39214af8f3a02f0 | 14:28 |
| yuval | gorka is around? I see he wrote it | 14:28 |
| jbernard | yuval: gorka left a pretty good commit message | 14:28 |
| jbernard | yuval: but it's possible the conditions he encouterend in 2020 are no longer present | 14:29 |
| yuval | why the hard limit on os-brick while nova and cinder dont need to set any special env variable | 14:31 |
| jbernard | it looks like we need to ammend the privsep capabilities when running as non-root | 14:32 |
| yuval | I meet this issue when working with kolla-ansible, insert the env variable to the kolla-docker is not trivial | 14:32 |
| jbernard | does it break without this variable set? | 14:32 |
| yuval | yes - permission issues happens | 14:33 |
| yuval | its depends on the backend - if you need some cap's | 14:33 |
| jbernard | i would consider the kolla-ansible environment, maybe there is something more accurate we can use to detect this, rather than VIRTUAL_ENV | 14:35 |
| jbernard | maybe... | 14:35 |
| rosmaita | maybe there is a clue in the bug? https://bugs.launchpad.net/os-brick/+bug/1884059 | 14:37 |
| whoami-rajat | so the issue Gorka saw was we needed to bypass read permissions in a virtual env, are we seeing this issue in other scenario? I'm not sure how/where kolla-ansible deploys os-brick | 14:37 |
| yuval | its not doing anything special, the os-brick is deploy part of nova and cinder containers | 14:39 |
| whoami-rajat | and you have observed that the read permission issue happens outside of virtual env as well? | 14:39 |
| yuval | I believe maybe in more past days we were more cheap on giving process cap's | 14:40 |
| yuval | whoami-rajat: yes, the process runs inside a docker | 14:40 |
| yuval | maybe thats related | 14:40 |
| jbernard | in general we try to elevate priveledges as little as possible, and only when absolutely needed; so perhaps this patch is slighly too narrow and needs to be revised. | 14:41 |
| whoami-rajat | ok, and IIUC it's the nova compute container right? does cinder-volume container also face similar permission issues while using os-brick? | 14:41 |
| yuval | I saw it in nova - when attaching volume (the lightbits backend moves a file from tmp to etc/...) | 14:43 |
| yuval | I am sure in cinder container I will see the same behavior | 14:43 |
| whoami-rajat | ok, we can try creating a volume from image, which triggers similar attach/detach workflow as nova does | 14:44 |
| whoami-rajat | and if it succeeds, compare both container privileges | 14:44 |
| whoami-rajat | I'm trying to understand what happened recently that is causing this issue since the code has been there since 2020 | 14:44 |
| yuval | its not that something was changed - so far I used special branches in kolla to add the env variable. but I really dont understand the need for this, so I am wonder if we can remove it | 14:45 |
| yuval | https://opendev.org/openstack/cinder/src/branch/master/cinder/privsep/__init__.py | 14:46 |
| yuval | looking at this | 14:46 |
| yuval | also nova is the same | 14:46 |
| whoami-rajat | yuval, i think that's different from what os-brick uses, i can see cinder one was implemented for cgroup throttling | 14:49 |
| whoami-rajat | here the sys_admin_pctxt is used https://opendev.org/openstack/cinder/src/branch/master/cinder/privsep/cgroup.py#L26 | 14:49 |
| whoami-rajat | in os-brick, we use the "default" defined in os-brick itself https://github.com/openstack/os-brick/blob/master/os_brick/privileged/lightos.py#L23 | 14:50 |
| whoami-rajat | and nova might have it's own usage of it's privsep context that it creates which i don't know much about | 14:51 |
| yuval | is there an alternative to using the default? | 14:51 |
| whoami-rajat | i don't see a way to configure it, we can surely elevate the privileges by adding more capabilities, the only concern i have is the reason for doing it | 14:53 |
| yuval | I see this comment in the code: # It is expected that most (if not all) os-brick operations can be | 14:53 |
| yuval | # executed with these privileges. | 14:53 |
| whoami-rajat | previously Gorka added the read permission for a specific case i.e. virtualenv, but I'm unsure about the issue you are facing | 14:53 |
| whoami-rajat | i think it would be good to log a bug first with the issue faced | 14:54 |
| yuval | I see ok | 14:54 |
| jbernard | ok, last call | 14:57 |
| rahman-lb | A very small patch related to docs https://review.opendev.org/c/openstack/cinder/+/942672 | 14:57 |
| jbernard | rahman-lb: added to the list | 14:58 |
| jbernard | thank you everyone, have a good rest of the week! | 14:58 |
| jbernard | #endmeeting | 14:59 |
| opendevmeet | Meeting ended Wed Feb 26 14:59:01 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 14:59 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/cinder/2025/cinder.2025-02-26-14.05.html | 14:59 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/cinder/2025/cinder.2025-02-26-14.05.txt | 14:59 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/cinder/2025/cinder.2025-02-26-14.05.log.html | 14:59 |
| whoami-rajat | thanks! | 15:00 |
| *** dviroel is now known as dviroel_bbl | 21:31 | |
| *** jhorstmann is now known as Guest10221 | 23:03 | |
| *** dviroel_bbl is now known as dviroel | 23:17 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!